Add implementation for CloudFormation Custom Resource Emulator

[flostadler]

This PR adds support for CloudFormation Custom Resource to the aws-native provider. It implements an emulator that enables Pulumi programs to interact with Lambda-backed CloudFormation Custom Resources.

A CloudFormation custom resource is essentially an extension point to run arbitrary code as part of the CloudFormation lifecycle. It is similar in concept to the Pulumi Command Provider, the difference being that CloudFormation CustomResources are executed in the Cloud; either through Lambda or SNS.

For the first implementation we decided to limit the scope to Lambda backed Custom Resources, because the SNS variants are not widely used.

Custom Resource Protocol

The implementation follows the CloudFormation Custom Resource protocol. I derived the necessary parts by combining information from the docs, CDKs CustomResource Framework and trial&error.

Notable aspects of that protocol are:

• primitive properties need to be string encoded when sending them to Custom Resource handlers. This includes deeply nested properties: AWS::CloudFormation::CustomResource - Lambda Backed CustomResource's ResourceProperties converts int and boolean properties to strings aws-cloudformation/cloudformation-coverage-roadmap#1037
• The Lambda Function is invoked asynchronously. Lambda will retry the execution if the function fails unexpectedly (e.g. unhandled exception).
• Due to the async invocation, the response is not returned from the Lambda Function, instead it's sent to a ResponseURL that needs to be included in the request payload.
  • Similarly to CloudFormation, we decided to implement this using S3 Buckets and presigned URLs.

Custom Resource Lifecycle

sequenceDiagram
    participant A as aws-native
    participant S3 as S3 Bucket
    participant L as Lambda
    
    %% Create Flow
    Note over A,L: Create Operation
    A->>S3: Generate presigned URL
    A->>L: Invoke with CREATE event
    activate L
    loop Until response found or timeout
        A->>S3: Poll for response
        L-->>S3: Upload response
    end
    deactivate L
    A->>S3: Fetch response
    alt Success
        A->>A: Store PhysicalId & outputs
    else Failure
        A->>A: Return error
    end

    %% Update Flow
    Note over A,L: Update Operation
    A->>S3: Generate presigned URL
    A->>L: Invoke with UPDATE event
    activate L
    loop Until response found or timeout
        A->>S3: Poll for response
        L-->>S3: Upload response
    end
    deactivate L
    A->>S3: Fetch response
    alt Success
        A->>A: Check PhysicalId
        alt ID Changed
            A->>S3: Generate presigned URL for cleanup
            A->>L: Invoke with DELETE event for old resource
            activate L
            loop Until cleanup response found or timeout
                A->>S3: Poll for cleanup response
                L-->>S3: Upload cleanup response
            end
            deactivate L
            A->>S3: Fetch cleanup response
        end
    else Failure
        A->>A: Return error
    end

    %% Delete Flow
    Note over A,L: Delete Operation
    A->>S3: Generate presigned URL
    A->>L: Invoke with DELETE event
    activate L
    loop Until response found or timeout
        A->>S3: Poll for response
        L-->>S3: Upload response
    end
    deactivate L
    A->>S3: Fetch response
    alt Success
        A->>A: Return success
    else Failure
        A->>A: Return error
    end

Loading

Reviewer Notes

Key areas to review:

1. Error handling in the response collection mechanism
2. Timeout management, especially for the Update lifecycle
3. Documentation completeness and accuracy

Exposing this resource and schematizing it is part of this PR #1807.
Automatically cleaning up the response objects is not included in this PR in order to keep its size manageable. Implementing this is tracked here: #1813.

Please pay special attention to:

• S3 response collection mechanism security
• State management during updates
• Cleanup handling when physical resource IDs change

Testing

• Unit tests including error handling tests for various failure scenarios
• Integration tests with actual Lambda functions are added in this stacked PR: Expose CloudFormation Custom Resource Emulator Resource #1807

Related Issues

• Support CDK Custom Resources pulumi-cdk#109
• Support SNS-backed CloudFormation Custom Resources #1812
• Clean up responses of Lambda-backed CloudFormation Custom Resources #1813

[flostadler]

This change is part of the following stack:

• Add implementation for CloudFormation Custom Resource Emulator #1806 ◀
  • Expose CloudFormation Custom Resource Emulator Resource #1807

_{Change managed by git-spice.}

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

[codecov]

Codecov Report

Attention: Patch coverage is 59.43152% with 157 lines in your changes missing coverage. Please review.

Project coverage is 48.13%. Comparing base (04539b4) to head (b184dc0).
Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
provider/pkg/resources/cfn_custom_resource.go	59.43%	142 Missing and 15 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1806      +/-   ##
==========================================
+ Coverage   46.81%   48.13%   +1.32%     
==========================================
  Files          42       43       +1     
  Lines        6167     6554     +387     
==========================================
+ Hits         2887     3155     +268     
- Misses       3052     3156     +104     
- Partials      228      243      +15     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[corymhall]

Just a couple of minor comments, otherwise this is awesome! Great work!

[corymhall]

Is there a way for us to get the resource options here, specifically the retainOnDelete option? I know there were times that I would set the retainOnDelete to true for custom resources because they didn't handle delete well.

[flostadler]

Sadly, not that I'm aware of: https://pulumi-developer-docs.readthedocs.io/latest/docs/_generated/proto/provider.html#pulumirpc-updaterequest

[t0yv0]

Only MLCs have access to retainOnDelete it seems:
https://github.com/pulumi/pulumi/blob/master/proto/pulumi/provider.proto#L473

For CustomResources that are traditional I don't think the engine ever cooperates with the provider on this. The engine handles it all engine-side.

[t0yv0]

This sentence here is a bit confusing. "This can be a Lambda Function ARN", perhaps give a quick example?

Also should this be marked Secret/Sensitive in the scehema?

[flostadler]

Lambda function ARNs (including alias or version) are a very common concept in AWS. I don't think we should go into too much detail about it here.

This is also not a secret, ARNs are just unique IDs

[t0yv0]

I was confused that this is called "serviceToken". This made me think of access tokens or some such. If there's precedent of calling lambda ARNs "tokens" then TIL.

[flostadler]

I also don't like the name... It's what CloudFormation called this property. I think there's precedence to stick to their naming patterns given we're trying to emulate their behavior/API

[t0yv0]

Comment here that len(oldState) is trying to guess if we are in a Read-for-import.
The developer docs are improving but not quite there yet but are being improved (cc @lunaris )

https://pulumi-developer-docs.readthedocs.io/latest/developer-docs/providers/implementers-guide.html#read

[t0yv0]

Nit: Go likes minimal interfaces so you only really need Now(), as Since can be computed from Now in a func.

[flostadler]

Yes, but that would clutter the implementation. The purpose of this interface is to make the code testable. I'd rather just pass through to the stdlib than add custom code

[flostadler]

Mhm, I guess this is a bit of a moot point from my side given that you can subtract times and get the duration that way

[t0yv0]

Yeah it's really a small nit, feel free to disregard.

[t0yv0]

I do not fully trust this function, and reading the docs quickly is not very reassuring some of the concerns I have.

I think we might need to think about this a bit (probably out of scope of this PR but before being fully confident).

What happens with unknowns, dependencies and secrets?

For secrets it's a design question - custom resources do not support them right? So we need to support secrets through the black-box transformation I think?

[flostadler]

We're already quite heavily using the resourcex.Decode and resourcex.Unmarshal methods in the provider. From what I can tell they work fine.

Additionally we're not using the unmarshalled typedInputs to construct the outputs, but rather use the inputs resource.PropertyMap to construct the outputs.
From that aspect, we're properly handling secrets.

Unknowns are a good point though. I'll try to double check whether this can receive unknowns if SupportsPreview: false.

[t0yv0]

I was wondering if this is ever called in Preview, but looks like the provider is SupportsPreview: false so we're good. It never is! No unknowns then.

[t0yv0]

I think this might still receive unknowns but I'm not 100% sure.

[flostadler]

I'll double check. It's not a big deal if we stick to using the PropertyMap for Check

[t0yv0]

Would it be possible to see here what is returned to the engine from Create in this test case?

Perhaps with hexops/autogold if it's too much trouble to write by hand.

[flostadler]

We're asserting this with the assertion in line 348. In case noEcho is set to true, we expect the data prop to be marked as a secret.

[t0yv0]

Ah ok!

[t0yv0]

Here's the serviceToken example, I see. Indeed it looks like a lambda ARN. Interesting.

[t0yv0]

🚢